5G Technology World

  • 5G Technology and Engineering
  • FAQs
  • Apps
  • Devices
  • IoT
  • RF
  • Radar
  • Wireless Design
  • Learn
    • 5G Videos
    • Ebooks
    • EE Training Days
    • FAQs
    • Learning Center
    • Tech Toolboxes
    • Webinars/Digital Events
  • Handbooks
    • 2024
    • 2023
    • 2022
    • 2021
  • Resources
    • Design Guide Library
    • EE World Digital Issues
    • Engineering Diversity & Inclusion
    • Engineering Training Days
    • LEAP Awards
  • Advertise
  • Subscribe

Opinion: Don’t Kill Messenger for iPad Breach

By Staff Author | June 15, 2010

AT&T, it seems, would like us to kill the messenger, in this case Goatse Security, the group that broke the news of the massive security flaw in AT&T’s iPad 3G Web application.

In a letter sent to its customers on Sunday, AT&T referred to the group in none-too-flattering terms, calling them “hackers” who “maliciously” “went to great efforts” to break into the Web application for the iPad and expose the ICC IDs and e-mail addresses of more than 100,000 iPad 3G customers.

That’s not entirely true. Goatse Security may have a warped sense of humor, to judge by its name, but they’re more Internet watchdogs than hackers. They didn’t go “to great efforts” to break AT&T’s system; all the e-mails they uncovered were publically available by entering a matching ICC-ID, no password required. Goatse says it took just one hour to discover the massive flaw in AT&T’s Web application, a claim backed up by mobile security experts who told Wireless Week the security breach wasn’t particularly sophisticated and could have been easily discovered by basic testing of AT&T’s application.

As for as whether Goatse Security is malicious or not, attention-seeking is probably a better term. Goatse says it made sure third parties notified AT&T of the security problem, waited for AT&T to fix its system and gave them time to notify customers before leaking the information to Gawker.com.

AT&T says it wasn’t notified by Goatse directly and fixed the problem “within hours,” according to a letter from the company’s privacy chief, Dorothy Attwood, though their initial statement on the matter suggested it took them a full day to fix the security flaw.

As you’ll recall, the information Goatse Security found did not require a password and was available to anyone on the Internet. The list of e-mails disclosed by Gawker.com was heavily redacted, and the only thing Goatse is getting is a lot of publicity and a lot of criticism. Goatse could have sold the e-mail list to the criminal underground and left it at that, but instead they chose to make sure the general public was notified, a move which has admittedly garnered them a lot of attention.

AT&T would have us believe this was a rogue incident caused by malicious hackers. In reality, it was an easily revealed flaw in a Web application that wasn’t properly secured. This is troublesome and worrying, at best.

Chenxi Wang, a security and risk management analyst at Forrester Research, told me last week that the security flaw in AT&T’s system was so basic it indicated a “cavalier” attitude toward security at the carrier, and I agree. We should be pointing fingers at AT&T’s lackadaisical approach to security instead of blaming the problem on Goatse Security.

It took AT&T six days to notify its customers of the breach. Six days. As Goatse Security correctly points out, it only takes one day for a criminal organization to exploit the information. AT&T could have notified its customers of the breach the day it solved the problem: Tuesday, June 8. Instead, they waited until Sunday, June 13. If Goatse Security hadn’t gone public with the information, would anyone have been notified? I suspect not.

Goatse could have done things differently. It could have notified AT&T directly, instead of having the information conveyed through third parties. It could have waited for AT&T to disclose the information, instead of going to the media with it itself. But that isn’t the real issue. The real issue is that AT&T failed to secure a basic part of a Web application. It’s AT&T’s fault, not Goatse Security’s, and it’s time we started pointing fingers in the right direction.


Filed Under: Devices

 

Next Article

← Previous Article
Next Article →

Related Articles Read More >

High-directivity couplers optimized for 225 – 750 MHz applications
Integrated into IoT devices, iSIM poised to make inroads
Triple-radio and multiprotocol MCUs add application processors
5G vectors
How RedCap fits into 5G and IoT

Featured Contributions

  • Overcome Open RAN test and certification challenges
  • Wireless engineers need AI to build networks
  • Why AI chips need PCIe 7.0 IP interconnects
  • circuit board timing How timing and synchronization improve 5G spectrum efficiency
  • Wi-Fi 7 and 5G for FWA need testing
More Featured Contributions

EE TECH TOOLBOX

“ee
Tech Toolbox: Internet of Things
Explore practical strategies for minimizing attack surfaces, managing memory efficiently, and securing firmware. Download now to ensure your IoT implementations remain secure, efficient, and future-ready.

EE LEARNING CENTER

EE Learning Center
“5g
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest info on technologies, tools and strategies for EE professionals.

Engineering Training Days

engineering
“bills
5G Technology World
  • Enews Signup
  • EE World Online
  • DesignFast
  • EDABoard Forums
  • Electro-Tech-Online Forums
  • Microcontroller Tips
  • Analogic Tips
  • Connector Tips
  • Engineer’s Garage
  • EV Engineering
  • Power Electronic Tips
  • Sensor Tips
  • Test and Measurement Tips
  • About Us
  • Contact Us
  • Advertise

Copyright © 2025 WTWH Media LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media
Privacy Policy

Search 5G Technology World